Uggh, yes, that.
Nowadays it’s change settings, refresh page, navigate 10 intermediate pages because SPA, confirm that your settings stuck.
Another self portrait, drawn when he was 90 or 91. Probably my favorite of his self portraits. Titled “The Young Painter”:
It was incredible to see it live unprepared. When you look chronologically through his paintings, you see basically every modern style there is - the guy participated in a lot of art movements over the twentieth century—and was proficient and productive in several of them. He starts classically, but soon descends into surrealistic nightmares and all the other things he became famous for. And then, finally, in the end, after all this insanity of lines and cubes and shapes and trying to figure out meanings (or at least subjects), you come to the last painting in the exhibition, and it really looks like something a talented ten-year-old could draw - full of life and innocence and optimism.
That is conveniently left out of the speck. Attestation server may require signed binary on a client system, it may require whatever it wants really, because why not? It’s a website who decides to trust attestation server or not.
They aren’t proposing a way for browsers to DRM page contents and prevent modifications from extensions.
And yet, this proposal would make it easier to do so.
Basically, it would allow websites to only serve users who comply with website requirements (i.e., no extensions, no ad blockers, only Chrome-based, whatever) whatever these requirements are.
You (your browser) go to a website, example.com, which requires attestation. So you must go to an attestation server and attest your device/browser combo (by telling the attestation server whatever information it requires). If the attestation server thinks you are trustworthy, it gives you an integrity token that you pass to example.com, and then you can see example.com. The website knows which attestation server issued your integrity token, so you can’t create your own.
So no extra software means no attestation server would attest you; means you can’t see example.com. End of story. It’s the same as the current “your browser is not supported” window, only you can’t get around it by changing the user agent.
As usual with these initiatives, bullshit is spread across different specs - this spec by itself implies that any number of attestation servers can exist, and they can check whatever they want, and no browser should be excluded, etc., etc., but practical implementation would probably check installed extensions, etc.
They get to this result on 0.6 MB of data (paper, page 5)
They even say:
This requires an explanation. I do see the need - if you promise 100Gbps you need to process at least a few Tbs.